Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 05:21
Static task
static1
Behavioral task
behavioral1
Sample
63846f0545e6163d027a52bd567bb6d0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
63846f0545e6163d027a52bd567bb6d0N.exe
Resource
win10v2004-20240802-en
General
-
Target
63846f0545e6163d027a52bd567bb6d0N.exe
-
Size
2.6MB
-
MD5
63846f0545e6163d027a52bd567bb6d0
-
SHA1
e6946c7f988f31b4efb315246147b007ea3675d6
-
SHA256
3033861d0602d6984533979d09984a5c7ae4ff33afcbd45923bd6fb66900551d
-
SHA512
ce3896e7ec819730a6722efac618394cb28888bbd5e4bfb143f15af197b88559a6f016604b3eacdd0d4c982bf956b7358dc6c33fdd5fa58433bab4ba71c67d84
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bS:sxX7QnxrloE5dpUpgb
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe 63846f0545e6163d027a52bd567bb6d0N.exe -
Executes dropped EXE 2 IoCs
pid Process 4024 locdevopti.exe 2216 devbodsys.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4C\\devbodsys.exe" 63846f0545e6163d027a52bd567bb6d0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYR\\optixec.exe" 63846f0545e6163d027a52bd567bb6d0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63846f0545e6163d027a52bd567bb6d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language locdevopti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language devbodsys.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 63846f0545e6163d027a52bd567bb6d0N.exe 2468 63846f0545e6163d027a52bd567bb6d0N.exe 2468 63846f0545e6163d027a52bd567bb6d0N.exe 2468 63846f0545e6163d027a52bd567bb6d0N.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe 4024 locdevopti.exe 4024 locdevopti.exe 2216 devbodsys.exe 2216 devbodsys.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2468 wrote to memory of 4024 2468 63846f0545e6163d027a52bd567bb6d0N.exe 86 PID 2468 wrote to memory of 4024 2468 63846f0545e6163d027a52bd567bb6d0N.exe 86 PID 2468 wrote to memory of 4024 2468 63846f0545e6163d027a52bd567bb6d0N.exe 86 PID 2468 wrote to memory of 2216 2468 63846f0545e6163d027a52bd567bb6d0N.exe 87 PID 2468 wrote to memory of 2216 2468 63846f0545e6163d027a52bd567bb6d0N.exe 87 PID 2468 wrote to memory of 2216 2468 63846f0545e6163d027a52bd567bb6d0N.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe"C:\Users\Admin\AppData\Local\Temp\63846f0545e6163d027a52bd567bb6d0N.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4024
-
-
C:\SysDrv4C\devbodsys.exeC:\SysDrv4C\devbodsys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD518c93fdfa0e52d91cd784ffc73dff385
SHA1942f7f923689573a7c2625aefa9c0226ee06681a
SHA256e63336f21ffada8282b957c97719235e10d1bd0e2e848f40f5286ce066c8693d
SHA5126b0079c82a6658a8a229fa26989b5021b7e84e23b712e0cc3a996d39c97c43fdbc59cd6bc4e95e00f476d4be3b6d0b368a357da58af7ddbfeffbe6ee078be7d6
-
Filesize
1.6MB
MD55696f8cb7b3197c901ec9e7d36c1037c
SHA1147d3c98835baf107d251c46319b17d864a5d9fb
SHA256faec6758106bd7e3f106395953741cb0e1128a72a52543bcbb665a4880450bbb
SHA5120664f9e9b980457ff15835fbb66e8331c37b9d3229ddd077f3653ebcb3e1772ede12d7c262c612e49877cb7cd2149ad48aafae3294418229ecbe0a9eb11c36f6
-
Filesize
1.2MB
MD5a8a3f5c8a306408a9d69bd140db67622
SHA135e61a4760dc153dd09e6db1d3b402dce89b5e0d
SHA25608e09b083fb7e40398408233997c98f5eda8c4186687f2cd081aef00c41d3465
SHA5122cce7bff0c0dcfa2e542694ac0cbf3f274087715615a645ce759c99280cc84c4976b5ca8a04398f4a69eecc2398ee0da8516433c625b52715df34a5032b3e1b6
-
Filesize
2.6MB
MD52e0d4671c32129f0e30a54e4b7bfa82c
SHA1c9ef00e52c466b5dc1a4f7474dd04d5ed57acca8
SHA2563cd41be7239512569b943a4f48f6f11a3881d16ae31e05810c8d197cb7a80dba
SHA512a5b462275dce4eac1aeffde167081817dc2e47593cf02918ba999b251abde3be0e4abf694e2bfcfc2558b53d67d2dc9d7ac2f3ab6b695e263e85e5e621c39ae7
-
Filesize
207B
MD5105ec10af36c5267ff02644539574de7
SHA1005f46ee922759764f46faa06897c06ffc9a9247
SHA2566b56408b7ac9781505f89ced320ed936ef498e5917147b20d703a8f7e8993bfe
SHA51206ba3d4d181871c71511435ae2fefc60be2ed589750b4062e1cc3ed9f57cdf4f1747ee6f129749f499bf9e377a6721d3cb40afa133a51e24b685c96dfa8b5283
-
Filesize
175B
MD5ac6e02802f010c3c095223a42c014d02
SHA17bcf3c01f59f123b4619202400721a88e1725e93
SHA256b71f8e015b90cefaf2dbcbca4502485cd90d3afcbb5e104f05e01818648375ca
SHA5120b8db0f952f293b53cf5372804301c3d120477a3e90828265eb4f0f9464902ac8de787ed8390d9e149dfc3963c0b73e48ec62d3d718e5a3693b5d2b4dd69a5c9
-
Filesize
2.6MB
MD51c93eb8f3eb4e6577a3cf2a94afb2bbd
SHA1331f723e9552839666c9e8402ce04ee7fca8064f
SHA256bac1e20f31ddc80c54752ed6e952378db3f908a0bfd5834f12a0b2de98957032
SHA51254c364d7ca149be98f3c1892869dbbb65b165ba16c5dd0af21b20b984e9552d74efe77d4a59d6c990b682adb8ac13427cc8c3dedd1a4dab57e47838b3da08669